Table of Contents
About configuring third-party Identity Providers (IdPs) for VIP Services...3
Third-party IdP service workflow... 3
Uploading the certificate for signing the assertion... 4
Configuring your IdP Service...4
Overview of configuring Active Directory Federation Service as an IdP...6
Adding the AD FS Entity ID and the AD FS certificate to VIP Manager...6
Obtaining the AD FS certificate from the AD FS Management Console... 7
Obtaining the Entity ID for the AD FS IdP Service... 7
Uploading the AD FS Entity ID and the AD FS certificate...9
Configuring AD FS as your IdP service... 9
Downloading the metadata... 10
Adding relying party trust by importing the metadata...10
Editing Claim Rules for the Relying Party...12
Enabling the RelayState parameter for IdP-initiated sign-on (Self Service Portal only)...14
Generating the log-on URL (My VIP and Self Service Portal only)... 14
Testing the AD FS IdP configuration... 15
Overview of configuring Oracle Access Manager as an IdP...16
Adding the OAM Entity ID and OAM certificate to VIP Manager... 16
Obtaining the OAM certificate...16
Obtaining the Entity ID for the OAM IdP service... 17
Uploading the OAM Entity ID and OAM certificate... 17
Configuring OAM as your IdP service...18
Enabling Federation Services in OAM Management Console... 19
Create Service Provider Attributes Profiles... 19
Create the Service Provider Partner by importing metadata... 20
Download the metadata... 20
Import the metadata into OAM... 20
Import the metadata into OAM for the Self Service Portal... 20
Import the metadata into OAM for VIP Manager... 22
Test the OAM IdP configuration... 24
Test the OAM IdP configuration for the Self Service Portal and My VIP... 24
Test the OAM IdP configuration for VIP Manager...24
About configuring third-party Identity Providers (IdPs) for VIP
Services
Enterprises increasingly support a single sign-on experience across their based applications. Most popular web-based applications adhere to single sign-on standards. Once end users log on to an enterprise application using their credentials, they are also signed in to other enterprise applications seamlessly. Users can move between services securely without repeatedly presenting their credentials.
The Security Assertion Markup Language (SAML) is an XML-based standard developed and maintained by the OASIS Security Services and Technical Committee. SAML is commonly used as a means to exchange authentication and authorization information between enterprise identity providers, enterprise in-house or cloud applications, and end-user web browsers. You can easily integrate Symantec-hosted VIP Services with a SAML 2.0-compliant Identity Provider (IdP) by following the configuration steps described in this document.
VIP Enterprise Gateway provides IdPs for the enterprise LDAP/AD directory for the Symantec VIP Services that secures access with VIP Manager, and with My VIP and the Self Service Portal. However, if you already have a SAML 2.0-compliant single sign-on IdP, you can extend that single sign-on functionality to VIP Services without having to configure an additional VIP Enterprise Gateway-provided IdP. If you choose not to configure the VIP Enterprise Gateway to provide secure access to VIP Manager and to My VIP or the Self Service Portal, you can implement a third-party IdP service to provide secure access to these web applications.
This guide describes how to extend the following third-party IdPs to allow single sign-on through VIP Services:
• Active Directory Federation Service (AD FS)
• Oracle Access Manager (OAM)
The third-party IdP service must be SAML 2.0-compliant. Additionally, your IdP service must be time-synchronized (for example, with a UTC Time Server) to ensure that your service can communicate with the SAML endpoint correctly.
Third-party IdP service workflow
The following describes how a third-party IdP service provides secure access to a web application:
1. The enterprise user (either an end user or a VIP Manager administrator) within the enterprise firewall navigates to a specific URL provided by the IdP Service.
2. The IdP Service presents a sign-in page for the web application. The user enters authentication credentials, such as a user name and password.
3. The IdP service sends a SAML assertion to the service provider endpoint for My VIP, the Self Service Portal, or VIP Manager, as appropriate.
4. The service provider endpoint verifies the signature on the assertion and redirects the user to the main My VIP, Self Service Portal, or VIP Manager page.
If the redirection to the web application fails, then the user is redirected to the web application sign-in screen. Integrating VIP with a third-party IdP service involves the following general steps:
Table 1: General steps for integrating a third-party IdP service with VIP
Step Description More Information
1 Upload the certificate for signing the assertion. Uploading the certificate for signing the assertion
For specific procedures on configuring an IdP service, see the following:
• Overview of configuring Active Directory Federation Service as an IdP
• Overview of configuring Oracle Access Manager as an IdP
Uploading the certificate for signing the assertion
The SAML assertion that the IdP service sends must be signed. You can use the VIP certificate you obtained from VIP Manager or use your own certificate for signing. In either case, you must upload the certificate into VIP Manager.
NOTE
As My VIP, the Self Service Portal, and VIP Manager use this certificate as the only means of trust for the SAML assertion, Symantec recommends that you use a certificate provided by a trusted third party such as the VIP certificate. Do not use a self-signed certificate.
When uploading the certificate into VIP Manager, you will also need to provide the Entity ID that you use with your IdP service.
Next step:
See Configuring your IdP Service.
Configuring your IdP Service
The IdP service must be configured to send an unsolicited assertion (also called an IdP-initiated assertion) to the appropriate SAML endpoint. Refer to the documentation provided with your IdP service for details on setting up your IdP service.
• Send your SAML assertion to one of the following SAML endpoints:
– For My VIP access: https://login.vip.symantec.com/viplogin/saml2/SSO
– For Self Service Portal access: https://ssp.vip.symantec.com/vipssp/saml/SSO
– For VIP Manager access: https://manager.vip.symantec.com/vipmgr/saml/SSO
• For My VIP, your SAML Issuer element must include your Entity ID. For Self Service Portal and VIP Manager, this is not required.
• The assertion must include the appropriate attributes. You can send the following attributes in the assertion. The SAML endpoint does not honor custom attributes.
Attribute/Conditions Required? Usage
User name (NameID) Y The user name for the user requesting secure access.
• For My VIP and the Self Service Portal, this can be any string that uniquely identifies the user to your enterprise.
• VIP Manager expects the NameID to be the email address of the administrator created in VIP Manager.
Signature conditions Y The signature in the assertion.
Sending the certificate is optional. If no certificate is sent, the SAML endpoint uses the certificate uploaded to VIP Manager.
Assertion validity conditions N Time range for which the assertion is valid.
PHONE N The value associated with the Phone Number attribute in the LDAP/AD. For example, telephoneNumber; homeTelephoneNumber;
Attribute/Conditions Required? Usage
EMAIL N The value associated with any of the configured email attributes in the LDAP/ AD.
For example, mail; email; or rfc822Mailbox.
GROUPS N The VIP User Group name to which the user is mapped.
Sending this attribute is optional. It occurs only if User Group Mapping is enabled and the user is part of the given group.
• You can send the following HTTP POST parameters with the assertion.
Attribute/Conditions Required? Usage
RelayStateUrl Y Provide the URL where the user is redirected if the SAML assertion is accepted.
• For My VIP, this is:
https://login.vip.symantec.com/viplogin/home
• For Self Service Portal, this is:
https://ssp.vip.symantec.com/vipssp/home.v
• For VIP Manager, RelayStateUrl is not required.
successUrl N Provide the URL where the user is sent after signing out of My VIP, the Self Service Portal, or VIP Manager.
errorUrl N Provide the URL where the user is sent if the authentication fails.
cancelUrl N Provide the URL where the user is sent if the user clicks Cancel from the Enter a Security Code log on page, or if the redirection attempt times out.
For specific procedures on configuring an IdP service, see the following procedures:
• Overview of configuring Active Directory Federation Service as an IdP
Overview of configuring Active Directory Federation Service as
an IdP
You can configure Active Directory Federation Service (AD FS) as a third-party IdP service in VIP Services on the following platforms:
• Microsoft Windows 2008 R2 Server
NOTE
You must update Windows 2008 R2 Server with the Rollup 2 fixes to let AD FS 2.0 support the RelayState
parameter for the SAML protocol.
• Microsoft Windows 2012 Server
• Microsoft Windows 2012 R2 Server
• Microsoft Windows 2016 Server
• Microsoft Windows 2019 Server
Before you configure AD FS as an IdP, you must first synchronize the AD FS server time with real time (for example, with a UTC Time Server).
To configure AD FS as a third-party IdP service in VIP Services, complete the following general steps:
Table 2: General steps for configuring AD FS as a third-party IdP service
Step Description More Information
1 Add the AD FS Entity ID and the AD FS certificate to VIP
Manager. Adding the AD FS Entity ID and the AD FS certificate to VIPManager
2 Configure AD FS as your IdP service. Configuring AD FS as your IdP service
3 Test the AD FS IdP configuration. Testing the AD FS IdP configuration
Adding the AD FS Entity ID and the AD FS certificate to VIP Manager
Adding the AD FS Entity ID and the AD FS certificate to VIP Manager requires the following steps:Table 3: General steps for adding the AD FS Entity ID and the AD FS certificate to VIP Manager
Step Description More Information
1 Obtain the AD FS certificate from the AD FS Management
Console. Obtaining the AD FS certificate from the AD FSManagement Console
2 Obtain the Entity ID for the AD FS IdP Service. Obtaining the Entity ID for the AD FS IdP Service
Obtaining the AD FS certificate from the AD FS Management Console
Complete the following steps to get the AD FS certificate from the AD FS Management console: 1. Access the appropriate AD FS Management console:
• On Microsoft Windows 2008 R2 Server platform, access the AD FS 2.0 Management Console and click to expand
AD FS 2.0.
• On Microsoft Windows 2012 Server platforms and above, access the AD FS 3.0 Management Console and click to expand AD FS.
2. Expand Service and select Certificates.
3. On the right side, open the certificate under Token-Signing.
4. Under the Details tab, click Copy to File.
5. Complete the Certificate Export Wizard and save the file in the .CER format.
Next step:
Obtaining the Entity ID for the AD FS IdP Service
Obtaining the Entity ID for the AD FS IdP Service
Complete the following steps to get the Entity ID for AD FS IdP service: 1. Access the appropriate AD FS Management console:
• On Microsoft Windows 2008 R2 Server platform, access the AD FS 2.0 Management Console and click to expand
AD FS 2.0.
• On Microsoft Windows 2012 and 2012 R2 Server platforms, access the AD FS 3.0 Management Console and click to expand AD FS.
2. From the Action menu, select Edit Federation Service Properties (Federation Service Properties dialog box). 3. Under the General tab, if the URL in the Federation Service Identifier field starts with http, change it to https.
4. Copy and save the URL that displays in the Federation Service Identifier field. This is the Entity ID URL.
Next step:
Uploading the AD FS Entity ID and the AD FS certificate
Complete the following steps to add AD FS Entity ID and AD FS certificate to VIP Manager: 1. In VIP Manager, click the Account tab.
2. Under the Account tab, select Single Sign-on.
3. Click Edit next to IDP Service Settings (VIP Manager Single Sign-on page). 4. Enter the Entity ID URL that you saved earlier.
See Obtaining the Entity ID for the AD FS IdP Service . 5. Click Browse to select the certificate that you saved earlier.
See Obtaining the AD FS certificate from the AD FS Management Console. 6. Click Submit.
Next step:
Configuring AD FS as your IdP service
Configuring AD FS as your IdP service
Configuring AD FS as your IdP service requires the following steps:Table 4: General steps for configuring AD FS as your IdP Service
Step Description More Information
1 Download and modify the metadata. Downloading the metadata
2 Add relying party trust by importing the metadata. Adding relying party trust by importing the metadata
3 Edit Claim Rules for the Relying Party. Editing Claim Rules for the Relying Party
For the Self Service Portal, also complete the following steps:
4 Enable the parameter for IdP-initiated sign-on (Self Service
Portal only) Enabling the parameter for IdP-initiated sign-on (SelfService Portal only)
Step Description More Information
5 Generate the log-on URL (My VIP and Self Service Portal
only) Generating the log-on URL (My VIP and Self Service Portalonly)
Downloading the metadata
Complete the following steps to download the metadata for My VIP, the Self Service Portal, or VIP Manager: 1. Download the metadata by accessing the appropriate link:
• For My VIP, access https://login.vip.symantec.com/viplogin/saml/metadata
• For the Self Service Portal, access https://ssp.vip.symantec.com/vipssp/saml/metadata
• For VIP Manager, access https://manager.vip.symantec.com/vipmgr/saml/metadata
2. Save the contents as an .xml file. Next step:
Adding relying party trust by importing the metadata
Adding relying party trust by importing the metadata
Complete the following steps to add relying party trust by importing the metadata: 1. Access the appropriate AD FS Management console:
• On Microsoft Windows 2008 R2 Server platform, access the AD FS 2.0 Management Console and click to expand
AD FS 2.0.
• On Microsoft Windows 2012 and 2012 R2 Server platforms, access the AD FS 3.0 Management Console and click to expand AD FS.
2. On the right Action panel, expand Trust Relationships.
3. Right-click on Relying Party Trusts, and then click Add Relying Party Trust (Add Relying Party Trust Wizard). 4. On the Add Relying Party Wizard, click Start.
5. Select Import data about the relying party from a file.
6. Click Browse to select the metadata .xml file that you downloaded and modified earlier.
7. Proceed with the Add Relying Party Trust Wizard. In the final wizard screen, select the option to open the Edit the Claim Rules Wizard.
Next step:
Editing Claim Rules for the Relying Party
Complete the following steps to edit the claim rules:
1. In the Edit Claim Rules Wizard, click Add Rule under the Issuance Transform Rules tab.
2. In the Add Transform Claim Rule Wizard (Add Transform Claim Rule Wizard), do the following:
• In the Claim rule template list, select Send LDAP Attributes as Claims.
• In the next page, provide an appropriate name for the rule.
• In the Attribute Store list, select Active Directory.
• In the Mapping of LDAP attributes to outgoing claim types table, enter the appropriate attributes and click Finish:
LDAP Attribute Outgoing Claim Type
For My VIP:
SAM-Account-Name Name ID
Telephone-Number PHONE
E-Mail-Addresses EMAIL
Mobile MOBILE_PHONE
For the Self Service Portal:
SAM-Account-Name Name ID
Telephone-Number PHONE
E-Mail-Addresses EMAIL
Mobile MOBILE_PHONE
For VIP Manager:
Next step:
• If configuring an IdP for the Self Service Portal:
Enabling the parameter for IdP-initiated sign-on (Self Service Portal only)
• If configuring an IdP for My VIP:
Generating the log-on URL (My VIP and Self Service Portal only)
• Otherwise:
Enabling the RelayState parameter for IdP-initiated sign-on (Self Service Portal
only)
If configuring an IdP for the Self Service Portal, complete the following steps to enable the RelayState parameter for IdP initiated sign-on:
1. In a standard text editor, open the appropriate configuration file:
• On Microsoft Windows 2008 R2 Server platforms, open the web.config file. This file is typically located atC: \inetpub\adfs\ls\
• On Microsoft Windows 2012 and 2012 R2 Server platforms, open the
Microsoft.IdentityServer.Servicehost.exe.config file. This file is typically located at C:\Windows\ADFS\
2. Add the following entry between <microsoft.identityServer.web> and </microsoft.identityServer.web>: <useRelayStateForIdpInitiatedSignOn enabled="true" />
3. Save the configuration file.
4. In AD FS for Windows 2106 Server and Windows 2019 Server, run the following command in PowerShell: Set-AdfsProperties -EnableRelayStateForIdpInitiatedSignOn $true
Next step:
Generating the log-on URL (My VIP and Self Service Portal only)
Generating the log-on URL (My VIP and Self Service Portal only)
If you are configuring an IdP for My VIP or the Self Service Portal, generate an encoded URL. Use the parameters in
Encoded Log-in URL parameters when generating the encoded URL.
NOTE
The domain name test.acme.com in these sample URLs is provided for illustrative purposes only. You must replace test.acme.com with your domain name in these URLs.
Complete the following steps to generate an encoded URL:
1. Create a string using the Relying Party Identifier (RPID) and Relay State / Target App values in Encoded Log-in URL parameters. The string should be formatted as follows:
RPID=<Relying Party Identifier>&RelayState=<Relay State / Target App>
2. URL encode the string. Refer to for details on encoding the string. https://social.technet.microsoft.com/wiki/contents/ articles/13172.ad-fs-2-0-relaystate-generator.aspx
3. Append the encoded string to the string, ?RelayState=. 4. Append this new string to the end of the IDP URL String.
The resulting encoded URL should be formatted as follows:
https://test.acme.com/adfs/ls/IdpInitiatedSignon.aspx?RelayState= <URL encoded string>
Table 5: Encoded Log-in URL parameters
Field Sample URL
IDP URL String https://test.acme.com/adfs/ls/IdpInitiatedSignon.aspx Relying Party Identifier (RPID) • For My VIP, use: https://login.vip.symantec.com
• For the Self Service Portal, use https://ssp.vip.symantec.com/vipssp
Relay State / Target App • For My VIP, use:
https://login.vip.symantec.com/viplogin/home? successUrl=https://test.acme.com/adfs/ls/?wa= wsignout1.0&cancelUrl=https://test.acme.com/adfs/ ls/?wa=wsignout1.0&errorUrl=https://test.acme.com/adfs/ ls/?wa=wsignout1.0
• For the Self Service Portal, use:
https://ssp.vip.symantec.com/vipssp/home.v?successUrl= https://test.acme.com/adfs/ls/?wa=wsignout1.0&cancelUrl= https://test.acme.com/adfs/ls/?wa=wsignout1.0&errorUrl= https://test.acme.com/adfs/ls/?wa=wsignout1.0
Next step:
Testing the AD FS IdP configuration
Testing the AD FS IdP configuration
To test that the AD FS IdP is correctly configured, access the appropriate URL and log on as an end user:
• For My VIP and the Self Service Portal, access the log-on URL you generated.
Generating the log-on URL (My VIP and Self Service Portal only)
Overview of configuring Oracle Access Manager as an IdP
You can configure the following versions of Oracle Access Manager (OAM) as a third-party IdP service in VIP Services:
• Oracle Access Manager version 11g
• Oracle Access Manager version 12c
Before you configure OAM as an IdP, you must first synchronize the OAM server time with real time (for example, with a UTC Time Server).
To configure OAM as a third-party IdP service in VIP Services, complete the following general steps:
Table 6: General steps for configuring OAM as a third-party IdP service in VIP
Step Description More Information
1 Add the OAM Entity ID and OAM certificate to VIP
Manager. Adding the OAM Entity ID and OAM certificate to VIPManager
2 Configure OAM As Your IdP Service. Configuring OAM as your IdP service
3 Test the OAM IdP configuration. Test the OAM IdP configuration
Adding the OAM Entity ID and OAM certificate to VIP Manager
Complete the following procedures to add the OAM Entity ID and the OAM certificate to VIP Manager:Table 7: General steps for adding the OAM Entity ID and OAM certificate to VIP Manager
Step Description More Information
1 Obtain the OAM certificate. Obtaining the OAM certificate
2 Obtain the Entity ID for the OAM IdP service. Obtaining the Entity ID for the OAM IdP service
3 Upload the OAM Entity ID and OAM certificate. Uploading the OAM Entity ID and OAM certificate
Obtaining the OAM certificate
Complete the following steps to obtain the OAM certificate: 1. Access one of the following URLs:
• http://<FQDN_OAM_MACHINE>:<OAM_PORT>/oamfed/idp/cert?id=osts_signing
• https://<FQDN_OAM_MACHINE>:<OAM_PORT>/oamfed/idp/cert?id=osts_signing Where:
• <FQDN_OAM_MACHINE> is the fully-qualified domain name of the machine where OAM resides.
• <OAM_PORT> is the port on which OAM listens. 2. Save the content in .CER format.
Obtaining the Entity ID for the OAM IdP service
Complete the following steps to obtain the entity ID for OAM IdP service: 1. Open the OAM Access Management console.
2. Click the Federation Settings tab (Federation Settings tab).
3. Copy and save the URL that is shown in the Provider Id field. This is the Entity ID URL.
Next step:
Uploading the OAM Entity ID and OAM certificate
Uploading the OAM Entity ID and OAM certificate
Complete the following steps to add the OAM Entity ID and the OAM certificate to VIP Manager: 1. In the VIP Manager, click the Account tab.
2. Under the Account tab, select Single Sign-on (VIP Manager Account Single Sign-on screen). 3. Click Edit next to IDP Service Settings.
4. Enter the Entity ID URL that you saved earlier. See Obtaining the Entity ID for the OAM IdP service. 5. Click Browse to select the certificate that you saved earlier.
6. Click Submit.
Configuring OAM as your IdP service
Complete the following procedures to configure OAM as your IdP service:
Table 8: General steps for adding the OAM as your IdP service
Step Description More Information
1 Enable Federation Services in OAM Management Console. Enabling Federation Services in OAM Management Console
2 Create Service Provider Attributes Profiles. Create Service Provider Attributes Profiles
Enabling Federation Services in OAM Management Console
Complete the following steps to enable Federation Services: 1. Open the OAM Access Management console.
2. Click the Configuration tab and select Available Services (Available Services tab). 3. Click Enable next to Identity Federation.
Next step:
Create Service Provider Attributes Profiles
Create Service Provider Attributes Profiles
Complete the following steps to create service provider attributes profiles: 1. Open the OAM Access Management console.
2. From the Identity Federation tab, select Identity Provider Administration.
3. Select Service provider Attribute Profiles and click Create SP Attribute Profile.
4. Create your service provider attributes profiles. Use the following Message Attribute Name values.
Message Attribute Name Value Always Send (Check Box)
Name ID user.attr.givenname Yes
PHONE user.attr.temephonenumber Yes
EMAIL user.attr.mail Yes
5. Under General section, enter Name and Description.
6. Under the Attribute Mapping section, click the plus button to add attributes as shown in the table in step 4.
7. Click Save.
Next step:
Create the Service Provider Partner by importing metadata
Create the Service Provider Partner by importing metadata
Create the service provider partner by importing the appropriate metadata file:• Download the metadata
• Import the metadata into OAM
Download the metadata
Complete the following steps to download the metadata for My VIP, the Self Service Portal, or VIP Manager: 1. Download the metadata by accessing the appropriate link and saving the contents as an .xml file:
• For My VIP, access https://login.vip.symantec.com/viplogin/saml/metadata
• For the Self Service Portal, access https://ssp.vip.symantec.com/vipssp/saml/metadata
• For VIP Manager, access https://manager.vip.symantec.com/vipmgr/saml/metadata
2. Save the contents as an .xml file. Next step:
Import the metadata into OAM
Import the metadata into OAM
Use the appropriate procedures to import the metadata and create the service provider partner:
• Import the metadata into OAM for the Self Service Portal
• Import the metadata into OAM for VIP Manager
Import the metadata into OAM for the Self Service Portal
Complete the following steps to create the service provider partner by importing metadata for the Self Service Portal: 1. Open the OAM Access Management console.
2. From the Identity Federation tab, select Identity Provider Administration.
3. Select Search Service Provider Partners and click Create Service provider Partner.
4. Select the Enable Partner check box.
5. In the General section, enter Name and Description (Create Service provider Partner (VIPassp) tab). 6. In the Service Information section:
• Select Protocol SAML2.0.
7. In the Name ID Format section:
• Select the NameID format from the drop-down list as Unspecified.
• Select the NameID value from the drop-down list as User ID Store Attribute. Enter givenname in the value field.
8. In the Mapping Options section, under Attribute Mapping, select the attribute profile created earlier.
See Create Service Provider Attributes Profiles. 9. Click Save.
Next step:
Import the metadata into OAM for VIP Manager
Complete the following steps to create a service provider partner by importing metadata for VIP Manager: 1. Open the OAM Access Management console.
2. From the Identity Federation tab, select Identity Provider Administration.
3. Select Search Service Provider Partners and click Create Service provider Partner.
4. Select the Enable Partner check box.
5. In the General section, enter Name and Description (Create Service provider Partner (VIPassp) tab). 6. In the Service Information section:
• Select Protocol SAML2.0.
• For service details, select Enter Manually.
• Set the Provider ID as https://manager.vip.symantec.com/vipmgr.
Set the Assertion Consumer URL as https://manager.vip.symantec.com/vipmgr/saml/SSO.
• Click Browse to select the metadata file in the .xml format and import it.
See Download the metadata. 7. In the Name ID Format section:
• Select the NameID format from the drop-down list as Email Address.
• Select the NameID value from the drop-down list as User ID Store Attribute. Enter mail in the value field. 8. In the Mapping Options section, under Attribute Mapping, select the attribute profile created earlier.
9. Click Save.
Test the OAM IdP configuration
To test that the OAM IdP is correctly configured, complete the appropriate procedures:
Table 9: General steps for adding the OAM as your IdP service
Step Description More Information
1 Test the OAM IdP configuration for the Self Service Portal. Test the OAM IdP configuration for the Self Service Portal and My VIP
2 Test the OAM IdP configuration for VIP Manager. Test the OAM IdP configuration for VIP Manager
Test the OAM IdP configuration for the Self Service Portal and My VIP
Complete the following procedures to test that the OAM IdP is correctly configured for the Self Service Portal and My VIP. 1. Access the IdP-initiated single sign-on URL. The URL should be in the format:
https://<IDP_URL_String>?providerid=<Provider_ID>&returnURL=<Return_URL>
Where:
• <IDP_URL_String> is:
https://<FQDN_OAM_MACHINE>:<OAM_PORT>/oamfed/idp/initiatesso
– <FQDN_OAM_MACHINE> is the fully-qualified domain name of the computer where OAM resides
– <OAM_PORT> is the port on which OAM listens
• <Provider_ID> is one of the following:
– For Self Service Portal:
https://ssp.vip.symantec.com/vipssp
– For My VIP:
https://login.vip.symantec.com
• <Return_URL> is one of the following:
– For Self Service Portal:
https://ssp.vip.symantec.com/vipssp/home.v?successUrl=<successUrl>? &cancelUrl=<cancelUrl>&errorUrl=<errorUrl>
– For My VIP:
https://login.vip.symantec.com/viplogin/home?successUrl=<successUrl>? &cancelUrl=<cancelUrl>&errorUrl=<errorUrl>
The Return_URL must be encoded.
– <successUrl> is the URL where the user is sent after signing out of the Self Service Portal
– <cancelUrl> is the URL where the user is sent if the authentication fails
– <errorUrl> is the URL where the user is sent if the user clicks Cancel from the Enter a Security Code log-on
page or if the redirection attempt times out.
2. Enter valid VIP credentials. The system displays the credential selection page of the VIP Self Service Portal.
Test the OAM IdP configuration for VIP Manager
Where:
• <FQDN_OAM_MACHINE> is the fully-qualified domain name of the computer where OAM resides
• <OAM_PORT> is the port on which OAM listens
2. Enter valid VIP administrator credentials. The system displays the VIP Manager Enter Security Code page.
Troubleshooting OAM IdP configuration
Troubleshooting OAM IdP configuration lists solutions to some issues you may experience when configuring OAM as an IdP for VIP Services.
Table 10: Troubleshooting OAM IdP configuration
Problem Solution
User is redirected to a blank page after entering valid
credentials in the Single Sign-On log-on page. Make sure that the value of the provider ID configured in the Settings tab and the value of the Entity ID configured in VIP Manager SingleFederation Sign-On settings are the same.
The system displays the "No email or phone number options are available to receive a temporary security code for sign-in. Contact your organization's administrator for assistance" error message after authentication.
Verify the following for your Service Provider Attribute Profiles:
• The user has values for all the configured attributes.
• The value for Message Attribute Name is correct.
Copyright statement
Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. Copyright ©2020 Broadcom. All Rights Reserved.
The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit
www.broadcom.com.
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.
